Sunday, July 25, 2010

Where are AD Groups Used?

Utilizing Varonis DatAdvantage, one can determine how an Active Directory group is being used on a file server. To find where a security group is applied to a folder directly, run the 4a – Effective Permissions for User or Group report. You need to select each File Server that you want Varonis to investigate and since we are only interested where the group is in the “ACL” there are two options that need to be selected and set to True:
  • "Show only direct permissions"
  • "Distinguished unique"


This allows you to see every folder where the security group is directly applied.

Tuesday, July 6, 2010

Dealing with the CounterACT "Port Scan - SNMP" message

One of the challenges in managing the ForeScout CounterACT appliance is to deal with and clean up the false positives that arise from anomalous network behavior that is not malicious. For example, today, we received a set of errors from one particular server, 192.168.111.18, that indicated that it was performing SNMP port scans. ForeScout correctly detected that something unusual was occurring and classified it as a malicious event.

Every several hours the server was performing SNMP port scans on IP addresses that were no longer existed. What was causing these scans?


Upon further investigation, they were IP addresses for printers that had been moved and given new IP addresses. By running regedit and searching for one of the IP addresses we were able to determine that it was a printer that the server was looking for.

We went into the Control Panel, selected the printer in question, assigned the LPT1 port to the printer, deleted the old port, and then deleted the print queue. The problem was solved and another false positive was eliminated. Thanks John!